Pterodactyl: DB limit bypass via broken locking mechanism — AWAITING NVD (CVE-2026-35202)

CISO Take

Pterodactyl Panel prior to v1.12.3 contains a logic flaw where the Client API's database allocation locking mechanism is entirely non-functional, allowing any authenticated user to provision databases beyond their assigned quotas through concurrent requests. Despite its ml_ui categorization, Pterodactyl is a game server management panel with no native AI/ML functionality; AI/ML risk exists only where Pterodactyl manages infrastructure hosting AI inference or experiment-tracking workloads. No CVSS score, EPSS data, public exploits, or CISA KEV listing are available at this time, indicating low immediate exploitation pressure from the broader threat landscape. Organizations running Pterodactyl should upgrade to v1.12.3 immediately and audit existing database allocations for anomalous overages that may indicate prior exploitation.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

LOW for direct AI/ML impact. The flaw is a TOCTOU race condition (CWE-367) combined with unconstrained resource allocation (CWE-770) in a game server management panel. Exploitation is trivial for any authenticated user — no AI or security expertise required — but the blast radius is limited to tenants sharing the same Pterodactyl instance. Direct impact on AI/ML pipelines is contingent on whether Pterodactyl is used as an infrastructure management layer for AI workloads, which is an uncommon but plausible deployment pattern.

Attack Kill Chain

Initial Access

Attacker authenticates to Pterodactyl with a valid user account subject to database allocation limits.

AML.T0012

Exploitation

Attacker floods the Client API database creation endpoint with concurrent requests, exploiting the non-functional locking mechanism to race past quota enforcement before any request commits.

AML.T0049

Resource Exhaustion

Excess databases are provisioned beyond the attacker's allowed quota, consuming shared database server resources and connection pools.

AML.T0034

Impact

Co-hosted AI services — such as inference endpoints or ML experiment tracking backends — are degraded or denied service as shared database resources are exhausted.

AML.T0029

Initial Access

Attacker authenticates to Pterodactyl with a valid user account subject to database allocation limits.

AML.T0012

Exploitation

Attacker floods the Client API database creation endpoint with concurrent requests, exploiting the non-functional locking mechanism to race past quota enforcement before any request commits.

AML.T0049

Resource Exhaustion

Excess databases are provisioned beyond the attacker's allowed quota, consuming shared database server resources and connection pools.

AML.T0034

Impact

Co-hosted AI services — such as inference endpoints or ML experiment tracking backends — are degraded or denied service as shared database resources are exhausted.

AML.T0029

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

4 steps

Upgrade Pterodactyl Panel to v1.12.3 or later — this is the only complete fix.
Until patched, restrict Client API access to trusted users only and temporarily enforce stricter rate limiting on database creation endpoints at the reverse-proxy or WAF layer.
Run an immediate audit of all user database counts against their configured allocation limits in the Pterodactyl admin panel to detect overages from prior exploitation.
Review application logs for rapid successive database creation API calls from a single account, which would indicate exploitation attempts.

Classification

Auth Bypass DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

GOVERN 1.1 - Policies, processes, practices, and personnel for AI risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems

Frequently Asked Questions

What is CVE-2026-35202?

Pterodactyl Panel prior to v1.12.3 contains a logic flaw where the Client API's database allocation locking mechanism is entirely non-functional, allowing any authenticated user to provision databases beyond their assigned quotas through concurrent requests. Despite its ml_ui categorization, Pterodactyl is a game server management panel with no native AI/ML functionality; AI/ML risk exists only where Pterodactyl manages infrastructure hosting AI inference or experiment-tracking workloads. No CVSS score, EPSS data, public exploits, or CISA KEV listing are available at this time, indicating low immediate exploitation pressure from the broader threat landscape. Organizations running Pterodactyl should upgrade to v1.12.3 immediately and audit existing database allocations for anomalous overages that may indicate prior exploitation.

Is CVE-2026-35202 actively exploited?

No confirmed active exploitation of CVE-2026-35202 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35202?

1. Upgrade Pterodactyl Panel to v1.12.3 or later — this is the only complete fix. 2. Until patched, restrict Client API access to trusted users only and temporarily enforce stricter rate limiting on database creation endpoints at the reverse-proxy or WAF layer. 3. Run an immediate audit of all user database counts against their configured allocation limits in the Pterodactyl admin panel to detect overages from prior exploitation. 4. Review application logs for rapid successive database creation API calls from a single account, which would indicate exploitation attempts.

What systems are affected by CVE-2026-35202?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML experiment tracking.

What is the CVSS score for CVE-2026-35202?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

model servingML experiment tracking

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: 6.1.2

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

Technical Details

Original Advisory

Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.

Exploitation Scenario

An attacker with a standard Pterodactyl account limited to, say, two databases sends a burst of concurrent database creation requests via the Client API before any single request completes and commits the count. Because the locking mechanism is non-functional, all concurrent requests simultaneously pass the quota check, resulting in the creation of ten or more databases instead of two. In an environment where Pterodactyl manages servers hosting AI inference endpoints or ML experiment tracking databases, this exhausts shared PostgreSQL connection limits or storage quotas and disrupts other tenants' AI services without any elevated privileges.